GNUnet 0.22.2
Functions | Variables
crypto_cs.c File Reference

Clause Blind Schnorr signatures using Curve25519. More...

#include "platform.h"
#include "gnunet_util_lib.h"
#include <sodium.h>
#include <gcrypt.h>
Include dependency graph for crypto_cs.c:

Go to the source code of this file.

Functions

void GNUNET_CRYPTO_cs_private_key_generate (struct GNUNET_CRYPTO_CsPrivateKey *priv)
 IMPLEMENTATION NOTICE: More...
 
void GNUNET_CRYPTO_cs_private_key_get_public (const struct GNUNET_CRYPTO_CsPrivateKey *priv, struct GNUNET_CRYPTO_CsPublicKey *pub)
 Extract the public key of the given private key. More...
 
static void map_to_scalar_subgroup (struct GNUNET_CRYPTO_Cs25519Scalar *scalar)
 Maps 32 random bytes to a scalar. More...
 
void GNUNET_CRYPTO_cs_r_derive (const struct GNUNET_CRYPTO_CsSessionNonce *nonce, const char *seed, const struct GNUNET_CRYPTO_CsPrivateKey *lts, struct GNUNET_CRYPTO_CsRSecret r[2])
 Derive a new secret r pair r0 and r1. More...
 
void GNUNET_CRYPTO_cs_r_get_public (const struct GNUNET_CRYPTO_CsRSecret *r_priv, struct GNUNET_CRYPTO_CsRPublic *r_pub)
 Extract the public R of the given secret r. More...
 
void GNUNET_CRYPTO_cs_blinding_secrets_derive (const struct GNUNET_CRYPTO_CsBlindingNonce *blind_seed, struct GNUNET_CRYPTO_CsBlindingSecret bs[2])
 Derives new random blinding factors. More...
 
static void cs_full_domain_hash (const struct GNUNET_CRYPTO_CsRPublic *r_dash, const void *msg, size_t msg_len, const struct GNUNET_CRYPTO_CsPublicKey *pub, struct GNUNET_CRYPTO_CsC *c)
 Computes a Hash of (R', m) mapped to a Curve25519 scalar. More...
 
static void calc_r_dash (const struct GNUNET_CRYPTO_CsBlindingSecret *bs, const struct GNUNET_CRYPTO_CsRPublic *r_pub, const struct GNUNET_CRYPTO_CsPublicKey *pub, struct GNUNET_CRYPTO_CsRPublic *blinded_r_pub)
 calculate R' More...
 
void GNUNET_CRYPTO_cs_calc_blinded_c (const struct GNUNET_CRYPTO_CsBlindingSecret bs[2], const struct GNUNET_CRYPTO_CsRPublic r_pub[2], const struct GNUNET_CRYPTO_CsPublicKey *pub, const void *msg, size_t msg_len, struct GNUNET_CRYPTO_CsC blinded_c[2], struct GNUNET_CRYPTO_CSPublicRPairP *r_pub_blind)
 Calculate two blinded c's. More...
 
void GNUNET_CRYPTO_cs_sign_derive (const struct GNUNET_CRYPTO_CsPrivateKey *priv, const struct GNUNET_CRYPTO_CsRSecret r[2], const struct GNUNET_CRYPTO_CsBlindedMessage *bm, struct GNUNET_CRYPTO_CsBlindSignature *cs_blind_sig)
 Sign a blinded c. More...
 
void GNUNET_CRYPTO_cs_unblind (const struct GNUNET_CRYPTO_CsBlindS *blinded_signature_scalar, const struct GNUNET_CRYPTO_CsBlindingSecret *bs, struct GNUNET_CRYPTO_CsS *signature_scalar)
 Unblind a blind-signed signature using a c that was blinded. More...
 
enum GNUNET_GenericReturnValue GNUNET_CRYPTO_cs_verify (const struct GNUNET_CRYPTO_CsSignature *sig, const struct GNUNET_CRYPTO_CsPublicKey *pub, const void *msg, size_t msg_len)
 Verify whether the given message corresponds to the given signature and the signature is valid with respect to the given public key. More...
 

Variables

static const unsigned char L_BIG_ENDIAN [32]
 

Detailed Description

Clause Blind Schnorr signatures using Curve25519.

Author
Lucien Heuzeveldt lucie.nosp@m.ncla.nosp@m.ude.h.nosp@m.euze.nosp@m.veldt.nosp@m.@stu.nosp@m.dents.nosp@m..bfh.nosp@m..ch
Gian Demarmels gian@.nosp@m.dema.nosp@m.rmels.nosp@m..org

Definition in file crypto_cs.c.

Function Documentation

◆ map_to_scalar_subgroup()

static void map_to_scalar_subgroup ( struct GNUNET_CRYPTO_Cs25519Scalar scalar)
static

Maps 32 random bytes to a scalar.

This is necessary because libsodium expects scalar to be in the prime order subgroup.

Parameters
[in,out]scalarcontaining 32 byte char array, is modified to be in prime order subgroup

Definition at line 69 of file crypto_cs.c.

70{
71 /* perform clamping as described in RFC7748 */
72 scalar->d[0] &= 248;
73 scalar->d[31] &= 127;
74 scalar->d[31] |= 64;
75}
GNUNET_CRYPTO_Cs25519Scalar::d
unsigned char d[crypto_core_ed25519_SCALARBYTES]
32 byte scalar
Definition: gnunet_crypto_lib.h:589

References GNUNET_CRYPTO_Cs25519Scalar::d.

Referenced by GNUNET_CRYPTO_cs_blinding_secrets_derive(), and GNUNET_CRYPTO_cs_r_derive().

Here is the caller graph for this function:

◆ cs_full_domain_hash()

static void cs_full_domain_hash ( const struct GNUNET_CRYPTO_CsRPublic r_dash,
const void *  msg,
size_t  msg_len,
const struct GNUNET_CRYPTO_CsPublicKey pub,
struct GNUNET_CRYPTO_CsC c 
)
static

Computes a Hash of (R', m) mapped to a Curve25519 scalar.

Parameters
hashinitial hash of the message to be signed
pubdenomination public key (used as salt)
[out]cC containing scalar

Definition at line 151 of file crypto_cs.c.

156{
157 // SHA-512 hash of R' and message
158 struct GNUNET_HashCode prehash;
159 gcry_mpi_t l_mpi;
160 gcry_mpi_t c_mpi;
161 unsigned char c_big_endian[256 / 8];
162 size_t r_m_concat_len = sizeof(struct GNUNET_CRYPTO_CsRPublic) + msg_len;
163 char r_m_concat[r_m_concat_len];
164 memcpy (r_m_concat,
165 r_dash,
166 sizeof(struct GNUNET_CRYPTO_CsRPublic));
167 memcpy (r_m_concat + sizeof(struct GNUNET_CRYPTO_CsRPublic),
168 msg,
169 msg_len);
170
171 GNUNET_CRYPTO_hash (r_m_concat,
172 r_m_concat_len,
173 &prehash);
174
175 // modulus converted to MPI representation
176 GNUNET_CRYPTO_mpi_scan_unsigned (&l_mpi,
177 L_BIG_ENDIAN,
178 sizeof(L_BIG_ENDIAN));
179
180 // calculate full domain hash
181 GNUNET_CRYPTO_kdf_mod_mpi (&c_mpi,
182 l_mpi,
183 pub,
184 sizeof(struct GNUNET_CRYPTO_CsPublicKey),
185 &prehash,
186 sizeof(struct GNUNET_HashCode),
187 "Curve25519FDH");
188 gcry_mpi_release (l_mpi);
189
190 // convert c from mpi
191 GNUNET_CRYPTO_mpi_print_unsigned (c_big_endian,
192 sizeof(c_big_endian),
193 c_mpi);
194 gcry_mpi_release (c_mpi);
195 for (size_t i = 0; i<32; i++)
196 c->scalar.d[i] = c_big_endian[31 - i];
197}
msg
struct GNUNET_MessageHeader * msg
Definition: 005.c:2
L_BIG_ENDIAN
static const unsigned char L_BIG_ENDIAN[32]
Definition: crypto_cs.c:136
pub
static struct GNUNET_CRYPTO_EddsaPublicKey pub
Definition: gnunet-scrypt.c:47
GNUNET_CRYPTO_hash
void GNUNET_CRYPTO_hash(const void *block, size_t size, struct GNUNET_HashCode *ret)
Compute hash of a given block.
Definition: crypto_hash.c:41
GNUNET_CRYPTO_mpi_scan_unsigned
void GNUNET_CRYPTO_mpi_scan_unsigned(gcry_mpi_t *result, const void *data, size_t size)
Convert data buffer into MPI value.
Definition: crypto_mpi.c:132
GNUNET_CRYPTO_kdf_mod_mpi
void GNUNET_CRYPTO_kdf_mod_mpi(gcry_mpi_t *r, gcry_mpi_t n, const void *xts, size_t xts_len, const void *skm, size_t skm_len, const char *ctx)
Deterministically generate a pseudo-random number uniformly from the integers modulo a libgcrypt mpi.
Definition: crypto_kdf.c:87
GNUNET_CRYPTO_mpi_print_unsigned
void GNUNET_CRYPTO_mpi_print_unsigned(void *buf, size_t size, gcry_mpi_t val)
Output the given MPI value to the given buffer in network byte order.
Definition: crypto_mpi.c:79
GNUNET_CRYPTO_CsC::scalar
struct GNUNET_CRYPTO_Cs25519Scalar scalar
Definition: gnunet_crypto_lib.h:657
GNUNET_CRYPTO_CsPublicKey
The public information of an Schnorr key pair.
Definition: gnunet_crypto_lib.h:619
GNUNET_CRYPTO_CsRPublic
the public R (derived from r) used in c
Definition: gnunet_crypto_lib.h:647
GNUNET_HashCode
A 512-bit hashcode.
Definition: gnunet_common.h:284

References GNUNET_CRYPTO_Cs25519Scalar::d, GNUNET_CRYPTO_hash(), GNUNET_CRYPTO_kdf_mod_mpi(), GNUNET_CRYPTO_mpi_print_unsigned(), GNUNET_CRYPTO_mpi_scan_unsigned(), L_BIG_ENDIAN, msg, pub, and GNUNET_CRYPTO_CsC::scalar.

Referenced by GNUNET_CRYPTO_cs_calc_blinded_c(), and GNUNET_CRYPTO_cs_verify().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ calc_r_dash()

static void calc_r_dash ( const struct GNUNET_CRYPTO_CsBlindingSecret bs,
const struct GNUNET_CRYPTO_CsRPublic r_pub,
const struct GNUNET_CRYPTO_CsPublicKey pub,
struct GNUNET_CRYPTO_CsRPublic blinded_r_pub 
)
static

calculate R'

Parameters
bsblinding secret
r_pubR
pubpublic key
[out]blinded_r_pubR'

Definition at line 209 of file crypto_cs.c.

213{
214 // R'i = Ri + alpha i*G + beta i*pub
215 struct GNUNET_CRYPTO_Cs25519Point alpha_mul_base;
216 struct GNUNET_CRYPTO_Cs25519Point beta_mul_pub;
217 struct GNUNET_CRYPTO_Cs25519Point alpha_mul_base_plus_beta_mul_pub;
218 GNUNET_assert (0 ==
219 crypto_scalarmult_ed25519_base_noclamp (
220 alpha_mul_base.y,
221 bs->alpha.d));
222 GNUNET_assert (0 ==
223 crypto_scalarmult_ed25519_noclamp (
224 beta_mul_pub.y,
225 bs->beta.d,
226 pub->point.y));
227 GNUNET_assert (0 == crypto_core_ed25519_add (
228 alpha_mul_base_plus_beta_mul_pub.y,
229 alpha_mul_base.y,
230 beta_mul_pub.y));
231 GNUNET_assert (0 ==
232 crypto_core_ed25519_add (
233 blinded_r_pub->point.y,
234 r_pub->point.y,
235 alpha_mul_base_plus_beta_mul_pub.y));
236}
GNUNET_assert
#define GNUNET_assert(cond)
Use this for fatal errors that cannot be handled.
Definition: gnunet_common.h:956
GNUNET_CRYPTO_Cs25519Point
Curve25519 point.
Definition: gnunet_crypto_lib.h:597
GNUNET_CRYPTO_Cs25519Point::y
unsigned char y[crypto_core_ed25519_BYTES]
This is a point on the Curve25519.
Definition: gnunet_crypto_lib.h:602
GNUNET_CRYPTO_CsBlindingSecret::alpha
struct GNUNET_CRYPTO_Cs25519Scalar alpha
Definition: gnunet_crypto_lib.h:629
GNUNET_CRYPTO_CsBlindingSecret::beta
struct GNUNET_CRYPTO_Cs25519Scalar beta
Definition: gnunet_crypto_lib.h:630
GNUNET_CRYPTO_CsRPublic::point
struct GNUNET_CRYPTO_Cs25519Point point
Definition: gnunet_crypto_lib.h:648

References GNUNET_CRYPTO_CsBlindingSecret::alpha, GNUNET_CRYPTO_CsBlindingSecret::beta, GNUNET_CRYPTO_Cs25519Scalar::d, GNUNET_assert, GNUNET_CRYPTO_CsRPublic::point, pub, and GNUNET_CRYPTO_Cs25519Point::y.

Referenced by GNUNET_CRYPTO_cs_calc_blinded_c().

Here is the caller graph for this function:

Variable Documentation

◆ L_BIG_ENDIAN

const unsigned char L_BIG_ENDIAN[32]
static
Initial value:
= {
0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x14, 0xde, 0xf9, 0xde, 0xa2, 0xf7,
0x9c, 0xd6, 0x58, 0x12, 0x63, 0x1a, 0x5c, 0xf5, 0xd3, 0xed
}

Definition at line 136 of file crypto_cs.c.

Referenced by cs_full_domain_hash().